Chrome Holding Co., formerly known as 23andMe, is failing to protect its customers’ sensitive personal information and genetic data related to their health, genetic predispositions and risk factors, biological relatives, ancestry, and ethnicity, according to a lawsuit filed Thursday by California Attorney General Rob Bonta.
In 2023, 23andMe experienced a data breach that affected nearly 7 million users across the United States, including 855,541 Californians.
While 23andMe publicly touted its commitment to data privacy and transparency, it failed to take reasonable measures to protect its customers’ most sensitive data, ignored known vulnerabilities in its systems, and failed to properly investigate numerous warnings that its systems had been compromised, the lawsuit alleges.
The company also misled its customers and the public on crucial aspects of the 2023 data breach. In the lawsuit, Bonta alleges 23andMe’s failures to carry out and maintain reasonable security procedures and its misleading statements regarding its security and the data breach were unlawful.
“23andMe collected genetic data about millions of people, failed to meet its obligation under California law to keep that information safe, and then lied to consumers about the severity of its 2023 data breach,” Bonta said in a statement. “Our investigation found that the company failed to take basic steps to protect users’ data – data including the sensitive personal information, family histories, and health conditions of consumers.”
Bonta said the sale of the data on the dark web took place during a period of anti-Asian American and Pacific Islander and antisemitic hate and violence.
“This is disturbing and incredibly dangerous,” the attorney general said.
Background
Founded in San Francisco, 23andMe was the first and one of the largest direct-to-consumer genetic testing companies in the world. Customers sent their saliva samples to 23andMe for DNA analysis. The company stored data on consumers’ raw DNA sequence and used that information to provide consumers with reports about their ancestry, ethnicity, and genetic health.
On Oct. 6, 2023, 23andMe confirmed that it had suffered a major data breach. For five months, a hacker had breached 23andMe’s systems undetected by accessing about 14,000 customers’ 23andMe accounts. The hacker leveraged that access, as well as other vulnerabilities within 23andMe’s systems, to obtain the data of nearly 7 million 23andMe customers.
23andMe’s post-breach statements to consumers were misleading and omitted critical information regarding the breach, according to the lawsuit. While 23andMe assured the public that it hadn’t experienced a data security incident and downplayed the sensitivity of the stolen data by claiming that the information stolen from the “DNA Relatives” feature was public, 23andMe was negotiating and paying a ransom to the hacker in exchange for them removing damaging information on the breach that had been posted online and providing information about multiple 23andMe security vulnerabilities,
The investigation and lawsuit
A 2023 investigation by the California Department of Justice and a multistate coalition found that 23andMe’s pre-breach data security procedures fell below security and industry standards. In addition, 23andMe made misleading statements before and after the breach.
The lawsuit argues that 23andMe failed to carry out reasonable security procedures for the personal information and genetic data that it maintained to protect that information from unauthorized access.
The lawsuit calls for civil penalties against 23andMe and injunctions blocking the company from further violations of California’s privacy protection laws.
The lawsuit is separate from the attorney general’s pending challenge in the U.S. Bankruptcy Court on the sale of Californians’ genetic information and material in bankruptcy.
